Ubuntu Touch safety architecture

For me the reason is easy, Chapter 3.

14 March 2019

This time, I have tried to set out the basic privacy and safety features of Ubuntu Touch!

1. An Open Source project based on Linux kernel. This means that anyone with the right expertise (including some in our own community) can see what is going on under the hood!

2. Built on Xenial: We are on a version of the OS which is supported by current Upstream patches: The newest security updates from Debian and Ubuntu development can be incorporated as soon as they appear.

3. Periodic community software security and performance updates for our supported devices mean that their safe life is extended, without having to spend your money on new hardware, in order to get the latest protection.

4. Easy online bug reporting, including directly from your device for all users. Ease of reporting makes us all safer and makes Ubuntu Touch more stable. The community hosts either on GitHub or GitLab, with gradual movement towards GitLab.

5. A special advantage of Ubuntu Touch comes from the locked down permissions of confined apps, aka their AppArmor permissions. AppArmor is a security feature which only enables apps to access their own restricted files and cannot run in the background or access services like GPS location unless specifically requested. You can view all the permissions that an app requests before you install it on your device. Apps can access the files you want them to access via the Content Hub system. That system acts as an intermediary, transferring only the files which you allow the confined app to access.

The job of Content Hub is to provide an API and a run time service to enable apps to share content with and import content from other apps. That is the path where the core apps import ContentHub files. This makes for a very secure operating system that places your privacy in your own hands, without undermining the application's purpose or usefulness: you allow them to do only what you want them to do - a proper separation between private storage and public storage.

6. But that is not all, a very important part of understanding an application's confinement permissions is to know about the trust model. Ubuntu's and Ubuntu's Touch trust model is based on Trusted and Untrusted apps.

Most of the apps available in the Ubuntu Touch OpenStore run in a restricted sandbox as defined by Ubuntu in Application Confinement. Reviews of apps may not be carried out in depth but by default they are classified as 'Untrusted'. This is not as scary as it sounds. It just means that tight limitations are applied as a default. In fact, most OpenStore apps fall into that Untrusted category.

Such applications:

can freely access their own data. Every piece of content is owned by one and only one app. There is, for example, no single app that owns all the photos

cannot access user data (which may include data about other people, that the user has stored e.g. Contacts)

cannot access privileged portions of the OS

cannot access privileged APIs, such as Telephony (so it cannot make calls or send text messages, for example)

may access sensitive APIs with user permission, such as Location or Online Accounts

are not typically among the core apps supported by UBports

Software and apps installed as part of the base OS or part of the Ubuntu Touch archive are considered Trusted by the OS. These applications typically do not run under confinement.

User applications trusted by the OS:

typically can access any resources or data available within the user's session

have limited access to system services and data as defined by the OS (ie, traditional filesystem permissions, PolicyKit, etc)

are supported by UBports and may receive security and high impact bug fixes based on the software's support status

Unconfined apps are subject to manual code review and checks that they do not include any proprietary code.

Importantly, permission for OpenStore apps to access sensitive data is typically granted or denied at the time of access (caching the result for later use as appropriate), so users can see the context in which access is being requested. This also provides better usability and less confusion overall.

source: ( https://docs.ubuntu.com/phone/en/devices/ )

Morph

uAdblock

VPN

7. Despite the default browser Morph having DuckDuckGo as its default search engine, its resistance to tracking is still quite limited, as it is in an early stage of development. It can nevertheless be made better by adding the great tool provided by Marius Gripsgaard. His uAdblock app will block most ads and trackers.

During Q&A 44 it was also asked whether at some stage it might be possible to implement Tor browser in Ubuntu Touch. That would be a very big project and not practical in the near future but a reminder here that VPN is already integrated at a system-level into Ubuntu Touch if you want to use it.

8. To free users from using proprietary messengers, Ubuntu Touch has promoted use of the Matrix protocol for secure and decentralized chatting. That is now available through the uMatriks and FluffyChat apps (FluffyChat is expected to implement the end-to-end chat encryption capabilities of Matrix soon, for one-to-one chats). There is a UBports server if you want to use it but no "FluffyChat server" you are forced to use. Use whichever server you find trustworthy or host your own, to maximize the safety of your personal information.

9. Nextcloud HTML5 app and uBsync native app are there to keep your device data, videos and photos safe on your personal home cloud or on your own or trusted NAS.

11. There are dedicated safety apps such as the Jade Diamond browser HTML5 app for children! UbuntuTweakTool app provides access to personalized settings for your device. KeePit is a native app, a read only version of KeepassX to keep your passwords safe. The official app store for Ubuntu Touch is called OpenStore and it has policy terms that respect your privacy and does not track your downloads ...

12. Thanks to the WebAppCreator app available in the OpenStore you can create your very own web apps and HTML5 apps that run in a web container. You know you can trust these, as you were the author and anyway the app cannot be tracked by the standard browser because it has its own container. In many cases you do not need a native app to get what you are looking for. Just be sure you have used the HTTPS protocol and set up the minimum access permissions needed by the app. You can even share your completed app with friends or make it available on OpenStore, subject to the upload rules.

Note: Ubuntu web apps and Ubuntu HTML5 apps are similar but not identical. The main difference is that the content of a web app is provided through a URL, whereas HTML5 apps install their own content (and usually provide an Ubuntu HTML5 GUI). Web apps also have restricted access to platform APIs.

14. By default, developer mode is turned OFF to prevent anyone connecting to your device to access, change or delete anything. Nevertheless you may be asking "What about home folder encryption?" The honest answer is that there is no full disk encryption support yet and providing it would not be as simple as one might think.

"This is not a user friendly process, it is not supported by the UBPorts developers, and it will likely break and need to be manually fixed after any major OTA update, so do not try this unless you know your way around crypt-setup and filesystem mounts very well."

At this point, I should also mention the comment made on the forum by @dobey:

"Really, there can be no safeguards, because currently we cannot re-lock the bootloader, and even if we had full disk encryption, the key has to be stored on the same flash as the encrypted data. Given that, one could simply copy all data off, and then brute force the wrapped passphrase for the encryption key, to eventually decrypt. Until we can re-lock the bootloader and have recovery without adb, and ideally store the encryption key in the SoC's internal secure key storage rather than on flash, what we can do in UT in terms of physical security is fairly limited."

But as @trainailleur said in reply to @dobey:

"FDE is a much tougher nut to crack than simply encrypting those filesystems which can be mounted or remounted after boot, but given the more immediate issues facing the Ubuntu Touch OS developers, we may be happy with Chris Croome's workaround for a first step considering how Ubuntu Touch is installed, how updates are deployed, and the need of existing devices to piggyback on lower-level guts."

For a global and somewhat deeper overview of the Ubuntu Touch OS architecture and its development, see this great presentation by Alberto Mardegan in English at Linux Piter, It is called: Ubuntu for Phones raises from the ashes.